apicasso 0.6.5 → 0.6.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d09d0e339bfb17aa767876e5041f749e5154cedb2c327588713a14113d0e00dd
-  data.tar.gz: dd03efe8e6a7a64e4f67cae8e19f2d8be5a0782f10d1f0524114f3071969bbca
+  metadata.gz: 05272b515597bae8632763fc837cc5e18ac0ed42209068b4f88d19b6c7356043
+  data.tar.gz: 4e31ec9f33f2d7f1fe91c5154c80992390af1b65dc50e90b7e68f2ed2986472d
 SHA512:
-  metadata.gz: a456ef2a8afb8c238f99b693cbd3bf650753fb6c07f6c5e31724cd03e7d5607cb6edfbc67004521e1abcccbf13f80b628ba197fef4876993cfd1c8a4a6f36aae
-  data.tar.gz: 718d3734733cbeee045546495cd5f26985c799257172ca0434df0a7bd7db64e8a165c537ac17d1fda4f0cf8e3f82343bc9f8aa852e3d70958ffe4e4905ab77da
+  metadata.gz: 7f249d297a5ab7abc073f4419acae6f99b7e03859f2afbd170079f9d3832d634ae87b51891939fab83dc6b2fb600e2d01e07a888c645b5e9e3ce59a005980c5e
+  data.tar.gz: d33c492ef94b5184acb47b30f621d7fe5bc355868f6c08ae6fcf7bf8a59e81e55ac66c5104a005902e8c3f6c83ccccef8f94f1dc51ffeb3914bdac5663ed2da1

data/app/controllers/apicasso/crud_controller.rb

@@ -91,13 +91,6 @@ module Apicasso
       authorize! action_to_cancancan, @object
     end
 
-    # Used to setup the resource's schema, mapping attributes and it's types
-    def resource_schema
-      schemated = {}
-      resource.columns_hash.each { |key, value| schemated[key] = value.type }
-      schemated
-    end
-
     # Used to setup the records from the selected resource that are
     # going to be rendered, if authorized
     def set_records
@@ -180,13 +173,6 @@ module Apicasso
       end
     end
 
-    # Only allow a trusted parameter "white list" through,
-    # based on resource's schema.
-    def object_params
-      params.require(resource.name.underscore.to_sym)
-            .permit(resource_params)
-    end
-
     # Common setup to stablish which model is the resource of this request
     def set_root_resource
       @root_resource = params[:resource].classify.constantize

data/app/controllers/concerns/crud_utils.rb

@@ -31,36 +31,63 @@ module CrudUtils
     built
   end
 
+  # Used to setup the resource's schema, mapping attributes and it's types
+  def resource_schema
+    schemated = {}
+    resource.columns_hash.each { |key, value| schemated[key] = value.type }
+    schemated
+  end
+
   # A wrapper to has_one relations parameter building
   def has_one_params
     resource.reflect_on_all_associations(:has_one).map do |one|
-      if one.class_name.starts_with?('ActiveStorage')
-        next if one.class_name.ends_with?('Blob')
-
-        one.name.to_s.gsub(/(_attachment)$/, '').to_sym
-      else
-        one.name
-      end
+      relation_param(one)
     end.compact
   end
 
   # A wrapper to has_many parameter building
   def has_many_params
     resource.reflect_on_all_associations(:has_many).map do |many|
-      if many.class_name.starts_with?('ActiveStorage')
-        next if many.class_name.ends_with?('Blob')
-
-        { many.name.to_s.gsub(/(_attachments)$/, '').to_sym => [] }
-      else
-        { many.name.to_sym => [] }
-      end
+      relation_param(many)
     end.compact
   end
 
+  # Extract permitted parameter from relation based on it's type
+  # This method proccess ActiveStorage parameters differently,
+  # so that it becomes available without further configuration
+  def relation_param(relation)
+    if relation.class_name.starts_with?('ActiveStorage')
+      return if relation.class_name.ends_with?('Blob')
+
+      active_storage_param(relation)
+    else
+      common_relation_param(relation)
+    end
+  end
+
+  # Non-ActiveStorage relation parameter parsing, receives the
+  # relation reflection as parameter
+  def common_relation_param(relation)
+    if relation.has_one?
+      relation.name
+    else
+      { relation.name.to_sym => [] }
+    end
+  end
+
+  # ActiveStorage relation parameter parsing, receives the
+  # relation reflection as parameter
+  def active_storage_param(relation)
+    if relation.has_one?
+      relation.name.to_s.gsub(/(_attachment)$/, '').to_sym
+    else
+      { relation.name.to_s.gsub(/(_attachments)$/, '').to_sym => [] }
+    end
+  end
+
   # Parse to include options
   def include_options
-    { include: parsed_associations || [],
-      methods: parsed_methods || [] }
+    { include: parsed_associations || [], methods: parsed_methods || [] }
   end
 
   # Used to avoid errors parsing the search query, which can be passed as
@@ -75,25 +102,25 @@ module CrudUtils
   # Used to avoid errors in included associations parsing and to enable a
   # insertion point for a change on splitting method.
   def parsed_associations
-    params[:include].split(',').map do |param|
-      if @object.respond_to?(param)
-        param if associations_array.include?(param)
-      end
-    end.compact
-  rescue NoMethodError
-    []
+    parsed_include(:include)
   end
 
   # Used to avoid errors in included associations parsing and to enable a
   # insertion point for a change on splitting method.
   def parsed_methods
-    params[:include].split(',').map do |param|
-      if @object.respond_to?(param)
+    parsed_include(:method)
+  end
+
+  def parsed_include(opts = nil)
+    params[:include]&.split(',')&.map do |param|
+      next unless @object.respond_to?(param)
+
+      if opts == :method
         param unless associations_array.include?(param)
+      elsif opts == :include
+        param if associations_array.include?(param)
       end
-    end.compact
-  rescue NoMethodError
-    []
+    end&.compact
   end
 
   # Used to avoid errors in fieldset selection parsing and to enable a
@@ -136,4 +163,11 @@ module CrudUtils
     uri.query = Rack::Utils.build_query(query)
     uri.to_s
   end
+
+  # Only allow a trusted parameter "white list" through,
+  # based on resource's schema.
+  def object_params
+    params.require(resource.name.underscore.to_sym)
+          .permit(resource_params)
+  end
 end

data/app/controllers/concerns/orderable.rb

@@ -39,7 +39,8 @@ module Orderable
     attr.match(/\A[+-]/).nil? ? '+': attr.slice!(0)
   end
 
+  # Gets class of the resource of the current request
   def model
-    representative_resource.classify.constantize
+    (params[:nested] || params[:resource] || controller_name).classify.constantize
   end
 end

data/app/controllers/concerns/sql_security.rb

@@ -27,17 +27,23 @@ module SqlSecurity
 
   # Check if request is a sql injection
   def sql_injection(klass)
-    apicasso_parameters.each do |key, value|
-      if key.to_sym == :group
-        return false unless group_sql_safe?(klass, value)
-      else
-        return false unless parameters_sql_safe?(klass, value)
-      end
+    apicasso_parameters.each do |name, value|
+      next if safe_parameter?(klass, name, value)
+
+      return false
     end
   end
 
   private
 
+  def safe_parameter?(klass, name, value)
+    if name.to_sym == :group
+      group_sql_safe?(klass, value)
+    else
+      parameters_sql_safe?(klass, value)
+    end
+  end
+
   # Check for SQL injection before requests and
   # raise a exception when find
   def bad_request?

data/lib/apicasso/version.rb

@@ -3,5 +3,5 @@
 # A Module to rule them all...
 module Apicasso
   # Current gem version
-  VERSION = '0.6.5'.freeze
+  VERSION = '0.6.6'.freeze
 end

data/lib/generators/apicasso/install/install_generator.rb

@@ -29,7 +29,7 @@ module Apicasso
 
       # Create an initializer with CORS configuration to Apicasso
       def copy_initializer
-        copy_file 'apicasso.rb', 'config/initalizers/apicasso.rb'
+        copy_file 'apicasso.rb', 'config/initializers/apicasso.rb'
       end
     end
   end